US11849041B2ActiveUtilityA1

Secure exchange of session tokens for claims-based tokens in an extensible system

39
Assignee: VMWARE INCPriority: Apr 1, 2021Filed: Apr 1, 2021Granted: Dec 19, 2023
Est. expiryApr 1, 2041(~14.7 yrs left)· nominal 20-yr term from priority
H04L 9/3213H04L 9/3247H04L 63/0807H04L 63/126
39
PatentIndex Score
0
Cited by
8
References
17
Claims

Abstract

A method of securely exchanging a session token for a claims-based token by a plug-in integrated into an extensible system includes the steps of: transmitting, to an extensible system server of the extensible system, the session token and a request for a first claims-based token that corresponds to the session token and that is cryptographically signed by an authentication server; acquiring, from the extensible system server, the first claims-based token; transmitting, to the authentication server, the first claims-based token and a request for a second claims-based token; and receiving, from the authentication server, the second claims-based token, wherein the second claims-based token is cryptographically signed by the authentication server, and wherein if the second claims-based token is transmitted to a resource provider server hosting a resource provider service, the resource provider service performs a requested operation on behalf of an interactive user of the extensible system.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of securely exchanging a session token for a claims-based token by a plug-in integrated into an extensible computer system to enable the plug-in to authenticate with a resource provider service that performs operations for an interactive user of the extensible computer system, the method comprising:
 transmitting, to a host system server of the extensible computer system, the session token and a request for a first claims-based token that corresponds to the session token; 
 acquiring, from the host system server, the first claims-based token, wherein the first claims-based token is cryptographically signed by an authentication server, and wherein the first claims-based token is delegated by the authentication server to a service user of the host system server, the service user of the host system server operating on behalf of the interactive user; 
 transmitting, to the authentication server, the first claims-based token and a request for a second claims-based token; and 
 receiving, from the authentication server, the second claims-based token, wherein the second claims-based token is cryptographically signed by the authentication server, wherein the second claims-based token is delegated by the authentication server to a service user of the plug-in, the service user of the plug-in operating on behalf of the interactive user, and wherein the cryptographic signing of the second claims-based token and the delegation of the second claims-based token to the plug-in enable the plug-in to use the second claims-based token to authenticate with the resource provider service to make an application programming interface (API) call requesting the resource provider service to perform a requested operation on behalf of the interactive user. 
 
     
     
       2. The method of  claim 1 , further comprising cryptographically signing the request for the first claims-based token. 
     
     
       3. The method of  claim 1 , wherein acquiring the first claims-based token comprises retrieving the first claims-based token from a uniform resource locator (URL) configured for a webhook. 
     
     
       4. The method of  claim 1 , further comprising receiving the session token from a device of the interactive user. 
     
     
       5. The method of  claim 4 , further comprising:
 receiving, from the device, a request to perform the operation; 
 transmitting, to the resource provider service, the API call, including the second claims-based token, to perform the operation; and 
 receiving, from the resource provider service, a result of performing the operation. 
 
     
     
       6. The method of  claim 5 , further comprising cryptographically signing the API call before transmitting the API call to the resource provider service. 
     
     
       7. A non-transitory computer readable medium comprising instructions that are executable in an extensible computer system, wherein the instructions when executed cause the extensible computer system to carry out a method of securely exchanging a session token for a claims-based token by a plug-in integrated into the extensible computer system to enable the plug-in to authenticate with a resource provider service that performs operations on behalf of an interactive user of the extensible computer system, said method comprising:
 transmitting, to a host system server of the extensible computer system, the session token and a request for a first claims-based token that corresponds to the session token; 
 acquiring, from the host system server, the first claims-based token, wherein the first claims-based token is cryptographically signed by an authentication server, and wherein the first claims-based token is delegated by the authentication server to a service user of the host system server, the service user of the host system server operating on behalf of the interactive user; 
 transmitting, to the authentication server, the first claims-based token and a request for a second claims-based token; and 
 receiving, from the authentication server, the second claims-based token, wherein the second claims-based token is cryptographically signed by the authentication server, wherein the second claims-based token is delegated by the authentication server to a service user of the plug-in, the service user of the plug-in operating on behalf of the interactive user, and wherein the cryptographic signing of the second claims-based token and the delegation of the second claims-based token to the plug-in enable the plug-in to use the second claims-based token to authenticate with the resource provider service to make an application programming interface (API) call requesting the resource provider service to perform a requested operation on behalf of the interactive user. 
 
     
     
       8. The non-transitory computer readable medium of  claim 7 , the method further comprising cryptographically signing the request for the first claims-based token. 
     
     
       9. The non-transitory computer readable medium of  claim 7 , wherein acquiring the first claims-based token comprises retrieving the first claims-based token from a uniform resource locator (URL) configured for a webhook. 
     
     
       10. The non-transitory computer readable medium of  claim 8 , the method further comprising receiving the session token from a device of the interactive user. 
     
     
       11. The non-transitory computer readable medium of  claim 10 , the method further comprising:
 receiving, from the device, a request to perform the operation; 
 transmitting, to the resource provider service, the API call, including the second claims-based token, to perform the operation; and 
 receiving, from the resource provider service, a result of performing the operation. 
 
     
     
       12. The non-transitory computer readable medium of  claim 11 , the method further comprising cryptographically signing the API call before transmitting the API call to the resource provider service. 
     
     
       13. An extensible computer system comprising:
 an authentication server; 
 a host system server; and 
 a plug-in server hosting a plug-in that is integrated into the extensible computer system and that is to authenticate with a resource provider service that performs operations for an interactive user of the extensible computer system, wherein the plug-in server runs on a hardware platform that includes a processor and memory, and the processor is configured to execute instructions from the memory to:
 transmit, to the host system server, a session token and a request for a first claims-based token that corresponds to the session token; 
 acquire, from the host system server, the first claims-based token, wherein the first claims-based token is cryptographically signed by the authentication server, and wherein the first claims-based token is delegated by the authentication server to a service user of the host system server, the service user of the host system server operating on behalf of the interactive user; 
 transmit, to the authentication server, the first claims-based token and a request for a second claims-based token; and 
 receive, from the authentication server, the second claims-based token, wherein the second claims-based token is cryptographically signed by the authentication server, wherein the second claims-based token is delegated by the authentication server to a service user of the plug-in, the service user of the plug-in operating on behalf of the interactive user, and wherein the cryptographic signing of the second claims-based token and the delegation of the second claims-based token to the plug-in enable the plug-in to use the second claims-based token to authenticate with the resource provider service to make an application programming interface (API) call requesting the resource provider service to perform a requested operation on behalf of the interactive user. 
 
 
     
     
       14. The extensible computer system of  claim 13 , wherein the plug-in server is further configured to cryptographically sign the request for the first claims-based token. 
     
     
       15. The extensible computer system of  claim 13 , wherein acquiring the first claims-based token comprises retrieving the first claims-based token from a uniform resource locator (URL) configured for a webhook. 
     
     
       16. The extensible computer system of  claim 13 , wherein the plug-in server receives the session token from a device of the interactive user. 
     
     
       17. The extensible computer system of  claim 16 ,
 wherein the plug-in server receives, from the device, a request to perform the operation, and 
 wherein the plug-in server is further configured to:
 transmit, to the resource provider service, the API call, including the second claims-based token, to perform the operation, and 
 receive, from the resource provider service, a result of performing the operation.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.